Ingest pipeline should work based on conditions

Mohan_vel · June 19, 2020, 12:46pm

Hi i have created a ingest pipeline using grok processor below is my processor

Ingest pipeline with grok

      PUT _ingest/pipeline/dissectpipeline
        {
          "description" : "split message content",
          "processors": [
            {
              "grok": {
                  "field": "message",
                  "patterns": ["agentId:%{NOTSPACE:agentId}","statuscode:%{NOTSPACE:statuscode}"]
                }
            }
          ]
        }

Pipeline simulation example

    POST /_ingest/pipeline/dissectpipeline/_simulate
    {
      "docs": [
        {
          "_index": "index",
          "_id": "id",
          "_source": {
            "message": "agentId:F00356"
          }
        },
        {
          "_index": "index",
          "_id": "id",
          "_source": {
             "message": "statuscode:400"
          }
        },
        {
          "_index": "index",
          "_id": "id",
          "_source": {
             "message": "log event SQL Success:200"
          }
        }
      ]
    }

For first and second document it is working as expected but for my 3 rd document it's throwing error grok pattern not matched. Same happening while indexing my real time documents.

Here my requirement is only if the message field of a document contains specific text it should grok else it should not consider for grok ultimately the thing is while calling this pipeline in my filebeat all the document should get indexed in elasticsearch only for few documents which contains specific text like agentId, statuscode, serviceclient in message field it should get groked and created respective field with in the same document. Kindly someone help me to achieve this. Thanks in advance.

Note : In all my incoming documents message field should not contain grok pattern text. lot more varies.

If any clarifications needed let me know.

Mohan_vel · June 20, 2020, 7:05am

Hi Guys, I have done something like this and it seems to be working fine.

**Pipeline**

    PUT _ingest/pipeline/dissectpipeline
        {
          "description" : "split message content",
          "processors": [
            {
              "grok": {
                  "field": "message",
                  "patterns": ["CSIC_agentId:%{NOTSPACE:apm_agentId.agentId}","CSIC_statuscode:%{NOTSPACE:apm_statuscode.statuscode}"
                    ,"CSIC_servicename:%{NOTSPACE:apm_servicename.servicename}"]
                }
            }
          ]
        }

pipeline with conditions

    PUT _ingest/pipeline/logs_pipeline
    {
      "description": "A pipeline of pipelines for log files",
      "version": 1,
      "processors": [
        {
          "pipeline": {
            "if": "ctx.message.toLowerCase().contains('csic_agentid')||ctx.message.toLowerCase().contains('csic_statuscode')||ctx.message.toLowerCase().contains('csic_servicename')",
            "name": "dissectpipeline"
          }
        }
      ]
    }

Could some one let me know is this a right approach?

system · July 18, 2020, 7:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Generate grok custom pattern to message filed Elasticsearch	9	564	July 16, 2020
[Ingest pipeline] tag and trace match Elasticsearch ingest-pipeline	1	938	March 31, 2022
Ingest Processor Conditional Elasticsearch	2	551	July 7, 2020
Ingest Pipeline Creating Grok Pattern with string as dependency Elasticsearch ingest-pipeline	2	128	March 10, 2024
Ingest pipeline dissect processor Elasticsearch	1	344	July 12, 2020

Ingest pipeline should work based on conditions

Related Topics